C ISPA. Hey, You Have a Problem: On the Feasibility of Large-Scale Web Vulnerability Notification. Ben Stock 29th Annual FIRST Conference
|
|
- Adam Bridges
- 6 years ago
- Views:
Transcription
1 Hey, You Have a Problem: On the Feasibility of Large-Scale Web Vulnerability Notification Ben Stock 29th Annual FIRST Conference
2 Motivation of our Work Large-Scale (Web) Vulnerability Detection Drupaggedon SQLi, Joomla! Object Deserialization, Client-Side XSS, Execute After Redirect on Ruby, Focus previously on Detection, not Notification Our work: understand how notifications can work at scale What are suitable communication channels for such a campaign? Does such a campaign affect the prevalence of the notified vulnerabilities? What might inhibiting factors be? Today s talk: get insights from the CERT community 2
3 Study Setup
4 Types of Vulnerabilities Well-known vulnerabilities for WordPress (43,865 domains, Top 1M) Reflected Cross-Site Scripting in PlUpload flash component (CVE ) Client-Side Cross-Site Scripting in Genericons Example Code (CVE ) XMLRPC Multicall Vulnerability allows attacker to try multiple user/password combinations in a single HTTP request Existing patches for all of them Previously-unknown Client-Side XSS vulnerabilities (925 domains, Top 10K) Site-specific flaws No existing patches 4
5 Communication Channels Direct Communication Channels Web contact forms Generic addresses Domain WHOIS information (registrant or technical contact) Indirect Communication Channels Vulnerability Reward Programs Hosting providers (abuse contacts for the hosting IP range) Trusted Third-Parties regional CERTs (e.g., CERT US, CERT-Bund) FIRST trusted community Ops-Trust 5
6 Notification Procedure Split up data set of vulnerable domains into five groups of equal size Generic, WHOIS, Provider, TTP, and Control Notification via with link to our Web interface alternatively: access via using token Aggregated Disclosure to providers and TTPs Bi-weekly s January 14th, January 28th, February 11th 6
7 Web Interface 7
8
9 Reachability Analysis Mailbox and accessed reports to classify domains reached: report viewed or acknowledged bounced: all s for this domain bounced unreachable: no WHOIS contact, no provider abuse mail, or redirect to Web interface unknown: all others indirect channels: first step of the chain measured 9
10 Global Impact of Notification
11 Fixed Sites over Time WordPress +280 (+3.1%) domains Client-Side XSS 25% Generic Domain Cont. Provider 25% Generic WHOIS Provider 31 (16.8%) TTP Control TTP Control domains 20% 20% fraction of fixed domains 15% 10% fraction of fixed domains 15% 10% 5% 5% 0% 0% 01/14 01/21 01/28 02/04 02/11 01/14 01/21 01/28 02/04 02/11 11
12 Although the notifications for both WordPress and Client-Side XSS showed significant improvements over the control group, the number of domains which were fixed is unsatisfactory (25.8% and 12.6%, respectively).
13 Communication Channel Analysis
14 Reachability of Direct Channels Bounced Unreachable Unknown Reached Viewed 100 % 80 % 60 % 40 % 20 % 0 % Generic WordPress Generic Client-Side XSS WHOIS WordPress WHOIS Client-Side XSS 14
15 Reachability of Direct Channels Bounced Unreachable Unknown Reached Viewed 100 % 80 % 60 % 40 % 550 WHOIS domains report reads, but only 280 fixed 20 % 0 % Generic WordPress Generic Client-Side XSS WHOIS WordPress WHOIS Client-Side XSS 15
16 Reachability of Indirect Channels Bounced Unreachable Unknown Reached Viewed 100 % 80 % 60 % 40 % 20 % 0 % Provider WordPress Provider Client-Side XSS TTPs WordPress TTPs Client-Side XSS 16
17 Reachability of Indirect Channels Bounced Unreachable Unknown Reached Viewed 100 % 80 % 60 % 40 % 70 TTP domains report reads, but only 31 fixed 20 % 0 % Provider WordPress Provider Client-Side XSS TTPs WordPress TTPs Client-Side XSS 17
18 Time to Fix after Report View Same rate as the 50% 50% control group after % fixed domains after view 40% 30% 20% 10% day 5. Generic WHOIS Provider 0% 0days 5days 10 days 15 days 20 days TTP % fixed domains after view 40% 30% 20% 10% 0% 0days 5days 10 days 15 days 20 days WordPress Client-Side XSS 18
19 Key Insights and Follow-Up Questions
20 Establishing Communication Channels Direct channels are hard to reach generic s perform really bad for average Web sites WHOIS helps, but is incomplete (~18.5% without entry) Indirect channels are easier to reach Often do not forward the information top 5 providers (~25% of domains) did not react How can the security community come up with reliable means of establishing communication channels between researchers and affected parties? 20
21 Need for Reminders and Time to Fix Reminders helped especially for direct channels Generic WHOIS Provider TTP Once report was viewed, fix ratio was ~25-30% after five days, WordPress fix rate equaled control group viewed domains Future notification campaigns should make 0 01/17 01/21 01/25 01/29 02/02 02/06 02/10 02/14 WordPress frequent use of reminders How can we improve on the fix ratio? viewed domains Generic WHOIS Provider TTP /17 01/21 01/25 01/29 02/02 02/06 02/10 02/14 Client-Side XSS 21
22 Sender Reputation Previous work found that sender reputation does not matter Our work begs to differ German CERT more inclined to forward information Providers more inclined to act upon German CERT info What is the impact of the sender reputation, especially when using intermediaries, on the success of a notification campaign? 22
23 User Distrust Our experiments required users to click a link or send an with a token Community trains users not to click/react Notified control group with full disclosure results only differed significantly for WordPress BUT: performed worse than with links! Potential issue in the message length To what extent does the message tone, content, and length influence the success of notification campaigns? 23
24 Results Generality Results appear to be dependent on the domain Providers worked best for Network vulns and Heartbleed Even within the same domain, results differ e.g. Generic on WordPress v. Client-Side XSS Are campaigns more successful if the vulnerabilities gained attention in the media (such as Heartbleed)? Does it matter who needs to fix the vulnerability, be it a network admin, Web site developer, or enduser? 24
25 Connecting with the FIRST Community Is it feasible to notify WordPress at scale? Should we use different formats, endpoints,..? How could we make the reports more useful? What else can the research community do to ensure that vulnerability notifications can work at scale? 25
26 Conclusion Conducted first analysis into notifications for Web vulnerabilities at scale two data sets: well-known (WordPress) and previously-unknown (Client-Side XSS) flaws four communication channels: direct (generic s, WHOIS) and indirect (providers, TTPs) Results show statistically significant improvement caused by our campaign WHOIS worked best for WordPress, TTP best for Client-Side XSS Overall improvement was unsatisfactory 74.5% of all domains in data set vulnerable at the end of our experiments Main problem is reaching administrators in the first place 30% fix rate within five days (WordPress) / 25% (Client-Side XSS) Thank you! Questions? 26
C ISPA. Hey, You Have a Problem: On the Feasibility of Large-Scale Web Vulnerability Notification
Hey, You Have a Problem: On the Feasibility of Large-Scale Web Vulnerability Notification Ben Stock, Giancarlo Pellegrino, Christian Rossow, Martin Johns, and Michael Backes USENIX Security Symposium Austin,
More informationMeasurement and Analysis of Private Key Sharing in the HTTPS Ecosystem
Measurement and Analysis of Private Key Sharing in the HTTPS Ecosystem Frank Cangialosi, Taejoong Chung, David Choffnes, Dave Levin, Bruce M. Maggs, Alan Mislove, Christo Wilson How do we know with whom
More informationIntroductions. Jack Katie
Main Screen Turn On Hands On Workshop Introductions Jack Skinner @developerjack Katie McLaughlin @glasnt And what about you? (not your employer) What s your flavour? PHP, Ruby, Python? Wordpress, Drupal,
More informationNetwork Security. Evil ICMP, Careless TCP & Boring Security Analyses. Mohamed Sabt Univ Rennes, CNRS, IRISA Thursday, October 4th, 2018
Network Security Evil ICMP, Careless TCP & Boring Security Analyses Mohamed Sabt Univ Rennes, CNRS, IRISA Thursday, October 4th, 2018 Part I Internet Control Message Protocol (ICMP) Why ICMP No method
More informationUsing Digital Voice Portal Feature Codes
Call Forwarding Always Automatically redirect all incoming calls to another number. When the service is active, a reminder will be displayed on your phone. You can also set your phone to play a Ring Reminder
More informationDon t blink or how to create secure software. Bozhidar Bozhanov, LogSentinel
Don t blink or how to create secure software Bozhidar Bozhanov, CEO @ LogSentinel About me Senior software engineer and architect Founder & CEO @ LogSentinel Former IT and e-gov advisor to the deputy prime
More informationThe Presence and Future of Web Attacks
Agenda The Presence and Future of Web Attacks Marco Fullin, CISSP Warning: This talk will be technical, chaotic and hurt Akamai Today Grow revenue opportunities with fast, personalized web experiences
More informationJAMES BENNETT DJANGOCON EUROPE 3RD JUNE 2015 THE NET IS DARK AND FULL OF TERRORS
JAMES BENNETT DJANGOCON EUROPE 3RD JUNE 2015 THE NET IS DARK AND FULL OF TERRORS WHO I AM Working with Django 9 years, 5 at Lawrence Journal- World Commit bit since 2007 Involved in Django s release and
More informationFacebook API Breach. Jake Williams Rendition Infosec
Facebook API Breach Jake Williams (@MalwareJake) Rendition Infosec www.rsec.us @RenditionSec Facebook View As Facebook allows users/developers to see what a profile page looks like from another user s
More informationFinding Vulnerabilities in Web Applications
Finding Vulnerabilities in Web Applications Christopher Kruegel, Technical University Vienna Evolving Networks, Evolving Threats The past few years have witnessed a significant increase in the number of
More informationMedical Device Vulnerability Management
Medical Device Vulnerability Management MDISS / NH-ISAC Process Draft Dale Nordenberg, MD June 2015 Market-based public health: collaborative acceleration Objectives Define a trusted and repeatable process
More informationBREAKTHROUGH CYBER SECURITY FREQUENTLY ASKED QUESTIONS
BREAKTHROUGH CYBER SECURITY FREQUENTLY ASKED QUESTIONS www.gbmstech.com What does GBMS Tech do? WE STOP MALWARE from running on your computers and mobile devices. We block CryptoLocker and Ransomware without
More informationProvide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any
OWASP Top 10 Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any tester can (and should) do security testing
More informationSecurity and Privacy. SWE 432, Fall 2016 Design and Implementation of Software for the Web
Security and Privacy SWE 432, Fall 2016 Design and Implementation of Software for the Web Today Security What is it? Most important types of attacks Privacy For further reading: https://www.owasp.org/index.php/
More informationThe OWASP Foundation
Application Bug Chaining July 2009 Mark Piper User Catalyst IT Ltd. markp@catalyst.net.nz Copyright The Foundation Permission is granted to copy, distribute and/or modify this document under the terms
More informationCustomer A - Dropbox. Issued to: Report date:
Customer A - Dropbox Issued to: example@example.com Report date: 2015-03-03 Example - dropbox 2015-03-03 Table of Contents Overview 3 Summary 3 Findings 4 User Activities 5 Over time 5 Activity bands 5
More informationOWASP Top 10 The Ten Most Critical Web Application Security Risks
OWASP Top 10 The Ten Most Critical Web Application Security Risks The Open Web Application Security Project (OWASP) is an open community dedicated to enabling organizations to develop, purchase, and maintain
More informationExit from Hell? Reducing the Impact of Amplification DDoS Attacks Marc Kührer, Thomas Hupperich, Christian Rossow, and Thorsten Holz
Exit from Hell? Reducing the Impact of Amplification DDoS Attacks Marc Kührer, Thomas Hupperich, Christian Rossow, and Thorsten Holz Presented By : Richie Noble Distributed Denial-of-Service (DDoS) Attacks
More informationWeb Security II. Slides from M. Hicks, University of Maryland
Web Security II Slides from M. Hicks, University of Maryland Recall: Putting State to HTTP Web application maintains ephemeral state Server processing often produces intermediate results; not long-lived
More informationOWASP TOP Release. Andy Willingham June 12, 2018 OWASP Cincinnati
OWASP TOP 10 2017 Release Andy Willingham June 12, 2018 OWASP Cincinnati Agenda A quick history lesson The Top 10(s) Web Mobile Privacy Protective Controls Why have a Top 10? Software runs the world (infrastructure,
More informationGlobal Deep Scans Measuring vulnerability levels across organizations, industries, and countries
Global Deep Scans Measuring vulnerability levels across organizations, industries, and countries Fabian Bräunlein Luca Melette SRLabs Template v12 Motivation for this
More information10 FOCUS AREAS FOR BREACH PREVENTION
10 FOCUS AREAS FOR BREACH PREVENTION Keith Turpin Chief Information Security Officer Universal Weather and Aviation Why It Matters Loss of Personally Identifiable Information (PII) Loss of Intellectual
More informationTHE CYBERSECURITY LITERACY CONFIDENCE GAP
CONFIDENCE: SECURED WHITE PAPER THE CYBERSECURITY LITERACY CONFIDENCE GAP ADVANCED THREAT PROTECTION, SECURITY AND COMPLIANCE Despite the fact that most organizations are more aware of cybersecurity risks
More informationAccount Customer Portal Manual
Account Customer Portal Manual Table of Contents Introduction Dashboard Section Reporting Section My Settings Section My Account Section Billing Section Help Section 2 4 7 15 20 25 27 1 Introduction SMTP
More informationDon't Trust The Locals: Exploiting Persistent Client-Side Cross-Site Scripting in the Wild
Don't Trust The Locals: Exploiting Persistent Client-Side Cross-Site Scripting in the Wild Marius Steffens German OWASP Day 2018 joint work with Christian Rossow, Martin Johns and Ben Stock Dimensions
More informationVulnerability Disclosure in the Age of Social Media: Exploiting Twitter for Predicting Real-World Exploits
Vulnerability Disclosure in the Age of Social Media: Exploiting Twitter for Predicting Real-World Exploits Carl Sabottke Octavian Suciu Tudor Dumitraș University of Maryland 2 Problem Increasing number
More informationRegistrar Session ICANN Contractual Compliance
1 Registrar Session ICANN Contractual Compliance ICANN 60 01 November 2017 2 Agenda Brief Update Since ICANN 58 Registrar Compliance Update Performance Measurement & Reporting Update Contractual Compliance
More informationSIP and VoIP What is SIP? What s a Control Channel? History of Signaling Channels
Network Security - ISA 656 Voice Over IP (VoIP) Security Simple SIP ing Alice s Bob Session Initiation Protocol Control channel for Voice over IP (Other control channel protocols exist, notably H.323 and
More informationExecutive Summary. Flex Bounty Program Overview. Bugcrowd Inc Page 2 of 7
CANVAS by Instructure Bugcrowd Flex Program Results December 01 Executive Summary Bugcrowd Inc was engaged by Instructure to perform a Flex Bounty program, commonly known as a crowdsourced penetration
More informationDefying Logic. Theory, Design, and Implementation of Complex Systems for Testing Application Logic. Rafal Los, Prajakta Jagdale
Defying Logic Theory, Design, and Implementation of Complex Systems for Testing Application Logic Rafal Los, Prajakta Jagdale HP Software & Solutions Background The testing of applications for security
More informationDevelopment*Process*for*Secure* So2ware
Development*Process*for*Secure* So2ware Development Processes (Lecture outline) Emphasis on building secure software as opposed to building security software Major methodologies Microsoft's Security Development
More informationQ WEB APPLICATION ATTACK STATISTICS
WEB APPLICATION ATTACK STATISTICS CONTENTS Introduction...3 Results at a glance...4 Web application attacks: statistics...5 Attack types...5 Attack trends...8 Conclusions... 11 2 INTRODUCTION This report
More informationJohn Coggeshall Copyright 2006, Zend Technologies Inc.
PHP Security Basics John Coggeshall Copyright 2006, Zend Technologies Inc. Welcome! Welcome to PHP Security Basics Who am I: John Coggeshall Lead, North American Professional Services PHP 5 Core Contributor
More informationCRAXweb: Web Testing and Attacks through QEMU in S2E. Shih-Kun Huang National Chiao Tung University Hsinchu, Taiwan
CRAXweb: Web Testing and Attacks through QEMU in S2E Shih-Kun Huang National Chiao Tung University Hsinchu, Taiwan skhuang@cs.nctu.edu.tw Motivation Symbolic Execution is effective to crash applications
More informationWhen providing a native mobile app ruins the security of your existing web solution. CyberSec Conference /11/2015 Jérémy MATOS
When providing a native mobile app ruins the security of your existing web solution CyberSec Conference 2015 05/11/2015 Jérémy MATOS whois securingapps Developer background Spent last 10 years working
More informationAttacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14
Attacks Against Websites 3 The OWASP Top 10 Tom Chothia Computer Security, Lecture 14 OWASP top 10. The Open Web Application Security Project Open public effort to improve web security: Many useful documents.
More informationSECURITY TRENDS & VULNERABILITIES REVIEW WEB APPLICATIONS
SECURITY TRENDS & VULNERABILITIES REVIEW WEB APPLICATIONS Contents Introduction...3 1. Research Methodology...4 2. Executive Summary...5 3. Participant Portrait...6 4. Vulnerability Statistics...8 4.1.
More informationProtect your apps and your customers against application layer attacks
Protect your apps and your customers against application layer attacks Development 1 IT Operations VULNERABILITY DETECTION Bots, hackers, and other bad actors will find and exploit vulnerabilities in web
More informationWeb Application Security Statistics Project 2007
Web Application Security Statistics Project 2007 Purpose The Web Application Security Consortium (WASC) is pleased to announce the WASC Web Application Security Statistics Project 2007. This initiative
More informationIncident Response Exercise. June 12, 2013 Koichiro (Sparky) Komiyama Sam Sasaki JPCERT Coordination Center, Japan
Incident Response Exercise June 12, 2013 Koichiro (Sparky) Komiyama Sam Sasaki JPCERT Coordination Center, Japan Exercise Scenario [Systems environment] [Company A s system] OS: Debian Linux (6.0.5) [126.25.10.111]
More informationhaltdos - Web Application Firewall
haltdos - DATASHEET Delivering best-in-class protection for modern enterprise Protect your website against OWASP top-10 & Zero-day vulnerabilities, DDoS attacks, and more... Complete Attack Protection
More informationINJECTING SECURITY INTO WEB APPS WITH RUNTIME PATCHING AND CONTEXT LEARNING
INJECTING SECURITY INTO WEB APPS WITH RUNTIME PATCHING AND CONTEXT LEARNING AJIN ABRAHAM SECURITY ENGINEER #WHOAMI Security Engineering @ Research on Runtime Application Self Defence Authored MobSF, Xenotix
More informationSecurity Improvements on Cast Iron
IBM Software Group Security Improvements on Cast Iron 7.0.0.2 Subhashini Yegappan, Software Support Engineer (syegapp@us.ibm.com) Raja Sreenivasan, Advisory Software Engineer (rsreeniv@in.ibm.com) 31-Mar-2015
More informationAPNIC Update TWNIC OPM 1 JUL George Kuo Manager, Member Services, APNIC
APNIC Update TWNIC OPM 1 JUL 2010 George Kuo Manager, Member Services, APNIC Overview Services Update APNIC 29 Policy Outcomes APNIC Activities Technical Developments IPv6 Program Training Other News Upcoming
More informationOracle Eloqua Classic Insight Dashboards
http://docs.oracle.com Oracle Eloqua Classic Insight Dashboards User Guide 2017 Oracle Corporation. All rights reserved 16-Oct-2017 Contents 1 Classic Insight dashboards 4 2 Benchmark Dashboard 7 2.0.1
More informationCSRF in the Modern Age
CSRF in the Modern Age Sidestepping the CORS Standard Tanner Prynn @tannerprynn In This Talk The State of CSRF The CORS Standard How Not To Prevent CSRF The Fundamentals of HTTP Without cookies: With cookies:
More informationHigh -Tech Bridge s Web Server Security Service API Developer Documentation Version v1.3 February 13 th 2018
HTB_WEBSECDOCS_v1.3.pdf Page 1 of 29 High -Tech Bridge s Web Server Security Service API Developer Documentation Version v1.3 February 13 th 2018 General Overview... 2 Meta-information... 4 HTTP Additional
More informationExploiting and Defending: Common Web Application Vulnerabilities
Exploiting and Defending: Common Web Application Vulnerabilities Introduction: Steve Kosten Principal Security Consultant SANS Instructor Denver OWASP Chapter Lead Certifications CISSP, GWAPT, GSSP-Java,
More informationActive System Management
Active System Management William A. Arbaugh Aram Khalili Pete Keleher Leana Golubchik Department of Computer Science Virgil Gligor Bob Fourney Department of Electrical and Computer Engineering University
More informationSecure DevOps: A Puma s Tail
Secure DevOps: A Puma s Tail SANS Secure DevOps Summit Tuesday, October 10th 2017 Eric Johnson (@emjohn20) Eric Johnson, CISSP, GSSP, GWAPT Cypress Data Defense Principal Security Consultant Static code
More informationPolycom Soundpoint 650 IP Phone User Guide
20 19 18 17 16 1 2 15 14 13 12 This guide will help you to understand and operate your new IP Phone. Please print this guide and keep it handy! 3 11 For additional information go to: http://www.bullseyetelecom.com/learning-center
More informationWeb security: an introduction to attack techniques and defense methods
Web security: an introduction to attack techniques and defense methods Mauro Gentile Web Application Security (Elective in Computer Networks) F. d'amore Dept. of Computer, Control, and Management Engineering
More informationWHOIS Accuracy Study Findings, Public Comments, and Discussion
I C A I NC N A N M N E ME ET EI NT G I N NG O N. o. 3 83 8 2 0 -- 2 55 JJ uu nn e E 2 20 01 10 0 WHOIS Accuracy Study Findings, Public Comments, and Discussion 23 June 2010 David Giza, ICANN Jenny Kelly,
More informationAnalysis of Hypertext Isolation Techniques for Cross-site Scripting Prevention. Mike Ter Louw Prithvi Bisht V.N. Venkatakrishnan
Analysis of Hypertext Isolation Techniques for Cross-site Scripting Prevention Mike Ter Louw Prithvi Bisht V.N. Venkatakrishnan Outline Motivation Hypertext isolation Design challenges Conclusion Quote
More informationRiskSense Attack Surface Validation for Web Applications
RiskSense Attack Surface Validation for Web Applications 2018 RiskSense, Inc. Keeping Pace with Digital Business No Excuses for Not Finding Risk Exposure We needed a faster way of getting a risk assessment
More informationJPCERT/CC Incident Handling Report [January 1, March 31, 2018]
JPCERT-IR-2018-01 Issued: 2018-04-12 JPCERT/CC Incident Handling Report [January 1, 2018 - March 31, 2018] 1. About the Incident Handling Report JPCERT Coordination Center (herein, JPCERT/CC) receives
More informationIs Your Web Application Really Secure? Ken Graf, Watchfire
Is Your Web Application Really Secure? Ken Graf, Watchfire What we will discuss today Pressures on the application lifecycle Why application security defects matter How to create hacker resistant business
More informationHow to Navigate MAX Survey
How to Navigate MAX Survey *This information for this presentation was taken from the website: www.max.gov* Homepage: www.max.gov First time users will need to Register. You can do this with a Username
More informationIPv6- IPv4 Threat Comparison v1.0. Darrin Miller Sean Convery
IPv6- IPv4 Threat Comparison v1.0 Darrin Miller dmiller@cisco.com Sean Convery sean@cisco.com Motivations Discussions around IPv6 security have centered on IPsec Though IPsec is mandatory in IPv6, the
More informationLet your customers login to your store after pre-approval
Customer Approve & Disapprove Let your customers login to your store after pre-approval Extension Specification Document Version: 2.0.0 Magento 2 Extension URL: https://www.extensionhut.com/customer-approve-disapprove-for-magento-2.html
More informationPROTECTING YOUR BUSINESS ASSETS
PROTECTING YOUR BUSINESS ASSETS How to Spot Danger Before Your Computer Gets Infected, Your Site Hosts Malware, and Your Credit Card Number Gets Stolen A MyNAMS Presentation by Regina Smola @2012 Regina
More informationCisco Advanced Malware Protection (AMP) for Endpoints
Cisco Advanced Malware Protection (AMP) for Endpoints Endpoints continue to be the primary point of entry for attacks! 70% of breaches start on endpoint devices WHY? Gaps in protection Gaps in visibility
More informationSymantec Ransomware Protection
Symantec Ransomware Protection Protection Against Ransomware Defense in depth across all control points is required to stop ransomware @ Email Symantec Email Security.cloud, Symantec Messaging Gateway
More informationHow Enterprise Tackles Phishing. Nelson Yuen Technology Manager, Cybersecurity Microsoft Hong Kong
How Enterprise Tackles Phishing Nelson Yuen Technology Manager, Cybersecurity Microsoft Hong Kong Hackers turning to easy marks - Social engineering Phishing was the #1 threat vector (> 50%) for Office
More informationDreamFactory Security Guide
DreamFactory Security Guide This white paper is designed to provide security information about DreamFactory. The sections below discuss the inherently secure characteristics of the platform and the explicit
More informationSEO Factors Influencing National Search Results
SEO Factors Influencing National Search Results 1. Domain Age Domain Factors 2. Keyword Appears in Top Level Domain: Doesn t give the boost that it used to, but having your keyword in the domain still
More informationOWASP Thailand. Proxy Caches and Web Application Security. OWASP AppSec Asia October 21, Using the Recent Google Docs 0-Day as an Example
Proxy Caches and Web Application Security Using the Recent Google Docs 0-Day as an Example Tim Bass, CISSP Chapter Leader, Thailand +66832975101, tim@unix.com AppSec Asia October 21, 2008 Thailand Worldwide
More informationThe Way of the Bounty. by David Sopas
The Way of the Bounty by David Sopas (@dsopas) ./whoami Security Consultant for Checkmarx Security Team Leader for Char49 Disclosed more than 50 security advisories Founder of WebSegura.net Love to hack
More informationMake Notifications Great Again: Learning How to Notify in the Age of Large-Scale Vulnerability Scanning
Make Notifications Great Again: Learning How to Notify in the Age of Large-Scale Vulnerability Scanning Orcun Cetin, Carlos Gañán, Maciej Korczyński, Michel van Eeten Delft University of Technology, the
More informationTHE EFFECTIVE APPROACH TO CYBER SECURITY VALIDATION BREACH & ATTACK SIMULATION
BREACH & ATTACK SIMULATION THE EFFECTIVE APPROACH TO CYBER SECURITY VALIDATION Cymulate s cyber simulation platform allows you to test your security assumptions, identify possible security gaps and receive
More informationCyber security tips and self-assessment for business
Cyber security tips and self-assessment for business Last year one in five New Zealand SMEs experienced a cyber-attack, so it s essential to be prepared. Our friends at Deloitte have put together this
More informationSucuri Technical Overview
Sucuri Technical Overview Product and Service Description 1 TABLE OF CONTENTS SUCURI OVERVIEW Company Overview 3 PRODUCT/SERVICE DESCRIPTION Monitoring Protection Response Backup 4 5 6 6 EXHIBITS A: Holistic
More informationProtect Your End-of-Life Windows Server 2003 Operating System
Protect Your End-of-Life Windows Server 2003 Operating System Your guide to mitigating risks in your Windows Server 2003 Systems after the end of support End of Support is Not the End of Business When
More informationDeliverability Webinar: Factors that Impact Deliverability Hosted by the emarketing Learning ebizitpa
Email Deliverability Webinar: Factors that Impact Deliverability Hosted by the emarketing Learning Center @ ebizitpa Question and Answer Session January 29, 2009 Q: In regards to the slide entitled Step
More informationCross Platform Penetration Testing Suite
Cross Platform Penetration Testing Suite Ms. Shyaml Virnodkar, Rahul Gupta, Tejas Bharambe 1Asst Professor, Department of Computer Engineering, K J Somaiya Institute of Engineering and Information Technology,
More informationThe Ultimate Digital Marketing Glossary (A-Z) what does it all mean? A-Z of Digital Marketing Translation
The Ultimate Digital Marketing Glossary (A-Z) what does it all mean? In our experience, we find we can get over-excited when talking to clients or family or friends and sometimes we forget that not everyone
More informationSystem and Software Architecture Description (SSAD)
System and Software Architecture Description (SSAD) REAL ESTATE INVESTMENT AND REVIEW TOOL TEAM 02 Venkata Sravanti Malapaka (Project Manager / Software Architect) Yuxuan Chen (Prototyper / Developer/Trainer)
More informationProtecting High Value Domains
Protecting High Value Domains SSAC Public Meeting ICANN Cairo 2008 1 What is a high value domain? Working definition: high value domain (HVD) One or a set of names which define an organization's online
More informationSecure your Web Applications with AWS WAF & AWS Shield. James Chiang ( 蔣宗恩 ) AWS Solution Architect
Secure your Web Applications with AWS WAF & AWS Shield James Chiang ( 蔣宗恩 ) AWS Solution Architect www.cloudsec.com What to expect from this session Types of Threats AWS Shield AWS WAF DEMO Real World
More informationOptimization of your deliverability: set up & best practices. Jonathan Wuurman, ACTITO Evangelist
Optimization of your email deliverability: set up & best practices Jonathan Wuurman, ACTITO Evangelist ACTITO Webinar Tour Replays & presentations available at www.actito.com/nl Our mission We help our
More informationGfK Digital Trends for Android. GfK Digital Trends Version 1.21
GfK Digital Trends for Android GfK Digital Trends Version 1.21 Effective Date: 15 th September 2015 Table of Contents 1 System Requirements... 1 2 Download and Installation... 2 2.1 Downloading from the
More informationconcerto: A Methodology Towards Reproducible Analyses of TLS Datasets
concerto: A Methodology Towards Reproducible Analyses of TLS Datasets Olivier Levillain, Maxence Tury and Nicolas Vivet ANSSI Real World Crypto January 6th 2017 Levillain, Tury, Vivet (ANSSI) concerto
More informationGood Fences Make Good Neighbors: Rethinking Your Cloud Selection Strategy
Good Fences Make Good Neighbors: Rethinking Your Cloud Selection Strategy SESSION ID: CSV-W01 Bryan D. Payne Director of Security Research Nebula @bdpsecurity Cloud Security Today Cloud has lots of momentum
More informationProtect Your End-of-Life Windows Server 2003 Operating System
Protect Your End-of-Life Windows Server 2003 Operating System Your guide to mitigating risks in your Windows Server 2003 Systems after the end of support End of Support is Not the End of Business When
More informationPBX Fraud Information
PBX Fraud Information Increasingly, hackers are gaining access to corporate phone and/or voice mail systems. These individuals place long distance and international calls through major telecom networks
More informationANATOMY OF A SPEAR PHISHING ATTACK. A Menlo Security Research Report
ANATOMY OF A SPEAR PHISHING ATTACK A Menlo Security Research Report Overview Today s CISOs are trying unsuccessfully to mitigate the threat of malware and credential theft, the two greatest risks associated
More informationAdaptive Defense 2.4: What s New?
1 1/22 Contents 1. Summary of news in version 2.4... 3 2. Detection and mitigation at the exploit stage of the cyber-attack life cycle Dynamic antiexploit technology... 4 2.1. Why is it important to stop
More informationLecture 4: Threats CS /5/2018
Lecture 4: Threats CS 5430 2/5/2018 The Big Picture Attacks are perpetrated by threats that inflict harm by exploiting vulnerabilities which are controlled by countermeasures. Once Upon a Time Bugs "bug":
More informationWEB APPLICATION VULNERABILITIES
WEB APPLICATION VULNERABILITIES CONTENTS Introduction... 3 1. Materials and methods... 3 2. Executive summary... 4 3. Client snapshot... 4 4. Trends... 5 5. Manual web application security assessment...
More informationOverview Cross-Site Scripting (XSS) Christopher Lam Introduction Description Programming Languages used Types of Attacks Reasons for XSS Utilization Attack Scenarios Steps to an XSS Attack Compromises
More informationOverview of SSL/TLS. Luke Anderson. 12 th May University Of Sydney.
Overview of SSL/TLS Luke Anderson luke@lukeanderson.com.au 12 th May 2017 University Of Sydney Overview 1. Introduction 1.1 Raw HTTP 1.2 Introducing SSL/TLS 2. Certificates 3. Attacks Introduction Raw
More informationDDoS attack patterns across the APJ cloud market. Samuel Chen CCIE#9607 Enterprise Security Architect, Manager - APJ
DDoS attack patterns across the APJ cloud market Samuel Chen CCIE#9607 Enterprise Security Architect, Manager - APJ www.cloudsec.com/tw DDoS attacks from Q1 2014 to Q1 2016 Each dot represents an individual
More informationSecurity Research Advisory ToutVirtual VirtualIQ Pro Multiple Vulnerabilities
Security Research Advisory ToutVirtual VirtualIQ Pro Multiple Vulnerabilities Table of Contents SUMMARY 3 REMOTE COMMAND EXECUTION 4 VULNERABILITY DETAILS 4 TECHNICAL DETAILS 4 INFORMATION LEAKAGE 5 VULNERABILITY
More informationWe will show you how we bypassed every XSS mitigation we tested. Mitigation bypass-ability via script gadget chains in 16 popular libraries
We will show you how we bypassed every XSS mitigation we tested. Mitigation bypass-ability via script gadget chains in 16 popular libraries PoCs included Content Security Policy WAFs whitelists nonces
More informationVoice Mail and Automated Attendant User s Guide
Voice Mail and Automated Attendant User s Guide The document page numbers and the page numbers in this file are offset by one. To manually jump to document page 3, for example, select View -> Go to Page
More informationWeb 2.0 and AJAX Security. OWASP Montgomery. August 21 st, 2007
Web 2.0 and AJAX Security OWASP Montgomery August 21 st, 2007 Overview Introduction Definition of Web 2.0 Basics of AJAX Attack Vectors for AJAX Applications AJAX and Application Security Conclusions 1
More informationSOLUTION BRIEF. Enabling and Securing Digital Business in API Economy. Protect APIs Serving Business Critical Applications
Enabling and Securing Digital Business in Economy Protect s Serving Business Critical Applications 40 percent of the world s web applications will use an interface Most enterprises today rely on customers
More informationBurning Down the Haystack. Tim Frazier Senior Security Engineer
Burning Down the Haystack Tim Frazier Senior Security Engineer tfrazier@splunk.com Professional History EE, Army Comms + Cisco Networking background Transitioned to InfoSec after breaking things and seeing
More informationObservation by Internet Fix-Point Monitoring System (TALOT2) for February 2011
Observation by Internet Fix-Point Monitoring System (TALOT2) for February 2011 1. To General Internet Users According to the Internet Fixed-Point Monitoring System (TALOT2), 143,494 unwanted (one-sided)
More informationUTILIZING THE NEW ALDA WEBSITE (CHAPTER LEADERS GROUP) PRESENTER: BRIAN JENSEN SEPTEMBER 16, 2016
UTILIZING THE NEW ALDA WEBSITE (CHAPTER LEADERS GROUP) PRESENTER: BRIAN JENSEN SEPTEMBER 16, 2016 Today I will be explaining the issues involved in fixing and upgrading our website, and how we can use
More information